Cognito Identity fedration RBAC example for amazon? - amazon-cognito

I am using AWS java script sdk to authenticate via amazon authentication provider. Through given examples, I am able to authorize user in cognito identity fedration for my app for default role.
However, when I tried to use RBAC, unable to authenticate and get Identity ID. I tried following after I saw this blog (https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/) but none of these works :
Claim : user_id equals value : amzn1.account.XXXXXXXXXXX Role : MyCustomRole
Claim : www.amazon.com:user_id value amzn1.account.XXXXXXXXXXX Role : MyCustomRole
I get below exception in browser :
Error: NotAuthorizedException: The ambiguous role mapping rules for: www.amazon.com denied this request.
Can any one post any example of how to use this with amazon identity provider ?
Also, with cloudtrail can we capture logs of these api calls ?

You can use the following claims while using the Amazon token.
Claims and values are below:
iss: www.amazon.com
aud: App Id
sub: Sub from the LWA token.
Cognito docs are in update process to capture these details.

Related

Integrating Grafana with keycloak,How to manage user access?

problem
integrating grafana with keycloak
a realm: zzy, two users: daicy,sscc
when I hit the Grafana URL, it is redirecting to keycloak and authenticating the user.
result:
daicy,sscc all can pass
hope:
sscc can pass, daicy failed.
What do I need to do to get the hope result.
Methods i tried
i read the keycloak document user based policy
then i follow the document, but failed, all users can authenticated.
Here are my setting up for authorization:
user policies
user daicy policy
user sscc policy
resource permision
Anyone managed to go through this?
Identity provider is for authentication (not for authorization). If you want to use authorization services, then they must be supported on the Service Provider side (Grafana in your case).
Unfortunately, Grafana doesn't support Keycloak authorization services out of the box. It supports only role based authorization (role_attribute_path). Unfortunately, you can't deny access for authenticated users on the Grafana side, because they will always have at least Viewer role - https://github.com/grafana/grafana/issues/23218
Grafana works well with Keycloak.
Please create a mapper within your keycloak grafana client in order to receive roles into json userinfo
Please see the following sample mapper
And your /etc/grafana/grafana.ini
login_attribute_path = preferred_username
role_attribute_path = contains(roles[], 'admin') && 'Admin' || contains(roles[], 'editor') && 'Editor' || 'Viewer'
At the end of the configuration restart grafana service and logout of all keycloak sessions.

Issue with "Resource owner password credentials grant" in Azure AD OAuth

Unable to get the access token by directly passing the username and password
Endpoint : https://login.microsoftonline.com/{tenant_id}/oauth2/token
grant_type: password
client_id: APPLICATION_ID
resource: https://graph.microsoft.com/.default
username: <username#microsoft.com>
password: <password>
Scope : openid
App is created in https://apps.dev.microsoft.com/
Getting Invalid grant error:
{
"error": "invalid_grant",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: 1ff96bc3-29c8-48f1-b7cc-f77c01525500\r\nCorrelation ID: 9821fdf5-25dc-4b07-84b3-f084194ea123\r\nTimestamp: 2018-09-14 20:04:01Z",
"error_codes": [
70002,
50126
],
"timestamp": "2018-09-14 20:04:01Z",
"trace_id": "1ff96bc3-29c8-48f1-b7cc-f77c01525500",
"correlation_id": "9821fdf5-25dc-4b07-84b3-f084194ea123"
}
UPDATE
Looks like there are more than one issues in play here.
You were using Azure AD token endpoint but had registered your application with Azure AD B2C by mistake (so case 2 as per my original answer).
Now after correcting that one, you should be using clientid and client secret for this new application that is registered with Azure AD.
Make sure you have added Microsoft Graph permissions for your application in Azure AD under "required permissions" and at the end of selecting appropriate permissions, make sure you press on the "Grant Permissions" button to give consent.
Looking at the error message and code you are getting (invalid_grant and "AADSTS70002: Error validating credentials. AADSTS50126"), I tried out ROPC exactly like you from Postman with a test application of my own and I tried multiple different combinations of passing wrong inputs, but the exact error codes you see come only in scenario where either my password or the username is incorrect (as the message says :)). In all other cases, error code will be different.
So, for username - make sure you give fully qualified name e.g. rohitsaigal#mydomain.onmicrosoft.com
for password - pretty obvious.
Give it another try based on instructions above and lets see how it goes.
ORIGINAL ANSWER
App is created in https://apps.dev.microsoft.com/
This means that your application is registered with Azure AD B2C.
Where you have registered your application isn't matching with the token endpoint you are using.
Case 1 - You are looking to use Azure AD B2C
Resource Owner Password Credentials Grant is still in public preview and you will need to follow the instructions provided by Microsoft here -
Configure the resource owner password credentials flow in Azure AD B2C
The endpoint you will hit to get the token will also be different that the one you have mentioned.
https://yourtenant.b2clogin.com/<yourtenant.onmicrosoft.com>/oauth2/v2.0/token?p=B2C_1_ROPC_Auth
Case 2 - You are looking to use Azure AD B2B
In this case you are using the correct end point to get the token, but you have wrongly registered your application with Azure AD B2C, you will need to change that and register your application from Azure Portal.
Instructions and details here - Integrating applications with Azure Active Directory
Just in case you need to read up on differences between Azure AD B2B v/s B2C - look at this SO Post
Here is another useful SO Post that gives information about registering your application through Azure Portal v/s https://apps.dev.microsoft.com (New application registration portal)
It seems like you didn't Grant Permissions to your app. Make sure all of the users are added to the app and ensure that you have the correct web.config parameters.
Also, ensure that the username and password are correct for the managed domain to connect. I've gotten this error before using the incorrect user. A regular azure global admin user may not be able to authenticate. You need to make sure you are using a CSP admin user.
This works https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
But keep in mind that there are limitations like:
You cannot use when a password is expired or needs to be changed.
MFA is not supported
Social logins are not supported

The roles generated in Keyrock are not really registered

I am creating a permission for an application in Keyrock and associating it to user A. When I do a GET request to orion v2/entities (that is equal to created permission), I get a User token not authorized message. In the PEP log I can see that the role is not associated to the user:
INFO: AZF-Client - Checking authorization to roles [] to do GET on v2/entities and app 629cd23fe9bb42c58d3fde77e0323a7e
This is really strange because I added the role containing the specific permission to user A.
Can anyone help with this? What am I doing wrong?
Please, check the following:
You are creating the OAuth2 token for the user to whom you have assigned the role.
You have created the role in the application you are using to generate the OAuth2 token.
The role has the permission assigned.

WSO2API Manager - Error Generating Access tokens with Password Grant Type

In WSO2 API Manager ,Iam using Token API and trying to generate Access tokens with User Credentials -Password Grant Type. Using SOAP UI to make the Token API requests.Key Manager is default one along with API Manager.
But upon requesting,iam not getting Access tokens.
Instead I get below error.
<am:fault xmlns:am="http://wso2.org/apimanager">
<am:code/>
<am:type>Status report</am:type>
<am:message>Runtime Error</am:message>
<am:description/>
</am:fault>
No exception in the console as well .
Please help in addressing this issue.

AWS Cognito finding right Parameters for CognitoSyncDemo

I'm going to setup this Example for Amazon Cognito Sync demo, using Eclipse + ADK + AWS libs V2.9.
I created an identity pool in the Cognito Console, so I got the Identity Pool ID which is used in CognitoSyncClientManager.java at:
private static final String IDENTITY_POOL_ID = "us-east-1:1a23b013-1abc-123-b123-123abc1fe5";
private static final Regions REGION = Regions.US_EAST_1;**
(perhaps not all regions seem to run in test mode)
I registered my (developing-)app in the Seller Central with Eclipse Help>Android>Bild>MD5 fingerprint and the package-name from AndroidManifest.xml, so got my api_key.txt Value.
From the AWS doku I got my Provider URL (code as sample), which is used in DeveloperAuthenticationProvider.java at:
private static final String developerProvider = "cognito-sync.us-east-1.amazonaws.com";
private static final String cognitoSampleDeveloperAuthenticationAppEndpoint = "arn:aws:iam::123456789123:role/Cognito_TestMyAppAuth_DefaultRole"
private static final String cognitoSampleDeveloperAuthenticationAppName = "Cognito sync demo";
After creating some Users which are attached to groups with permissions to IAM full access and (auto)generated roles for unautherized and autherized Roles, my app is running in this way:
Login with Amazon - is running, but where will their datasets be created and is it possible I see them in the AWS Console?
Simple Browse your data (without login) - is running, unauthenticated users and their datasets appear/are counted in the Identity console
Developer Authentication fails with Username or password do not match - combined with an "Unable to reach resource..." in the LogCat.
Now I think, the last missing thing in this game is the parameter cognitoSampleDeveloperAuthenticationAppEndpoint=...
Where can I find it and what else could I have missed to setup for a full running Example?
Thanks for using Cognito demo. Answers to your questions
Yes, you can see the datasets in the AWS console. Navigate to Cognito inside the AWS Console and go to your identity pool. On the left hand side menu go to identity browser and you will see the list of identities or you can search for an identity. Click on the identity and you can see the datasets owned by that identity.
Developer Authentication is a feature which helps to integrate your authentication system with Cognito. For this you should have a backend server serving user's authentication requests, and once you authenticate users you can request OpenId Connect tokens for them from Cognito using the GetOpenIdTokenForDeveloperIdentity API call. The developer provider name is the one which you setup for your identity pool in the AWS Cognito console. For using the sample you can setup a sample server application by following this blog and the readme file of the the server side application.
P.S.: Please avoid sharing your identity pool id.
Thanks,
Rachit